By: Frank R. Mitchell, CITRMS
According to the Privacy Rights Clearing House, approximately 10 billion records have been lost or stolen from businesses, schools, government agencies, and non-profit organizations since January 2005. Is your financial practice at risk?
This is a case of “what you don’t know can hurt you.” Here are TEN fallacies about identity theft and information security that NO ONE is talking about.
1. Identity theft is a consumer issue. While individuals are ultimately the victims of identity theft, their information is often stolen from the organizations where they work or do business. According to the Privacy Rights Clearing House, over 10 billion records have been lost or stolen from businesses, schools, government agencies, and non-profit organizations since January 2005! These information losses lead to damages for an organization including state and federal fines, lawsuits, and a damaged reputation when individuals become victims of identity theft.
2. Our organization doesn’t have the “kind” of information that thieves want. Most organizations today only focus on protecting Social Security numbers and credit card information. However, today’s identity thief can benefit from most identifiers including, but not limited to, birth dates, driver’s license numbers, account numbers, financial identifiers, medical identifiers, and business information. This data is vulnerable when collected, processed, transmitted, transported, stored, and disposed of for employees, customers, and vendors.
3. Our organization is too small. When it comes to information loss, size does not matter. In the case of an information security incident, the cost of federal and state fines, class action lawsuits, and a damaged reputation can be devastating to any size organization. According to the Disaster Recovery Journal, the U.S. Department of Labor has warned that 93% of businesses that experience a significant data loss go out of business within five years. "Of those companies, 43% go out of business within the first year, and 72% go out in the second year."
4. I trust (or know) everyone that I do business with. Trusting relationships with employees and customers is necessary for a successful enterprise. However, many information security incidents involve someone internally. The loss may be accidental or malicious. Just because you know someone doesn’t mean that you know their intentions. Proper training and safety measures go a long way toward reducing the probability of loss.
5. Information security is a technology issue. Most organizations have taken some precautions to secure computers and networks. Just as important, stolen paperwork also accounts for loss, including files left out on desks. It is critical to note that Confidential and Sensitive Information is at risk in any form. A comprehensive prevention approach involves managing people’s behaviors, securing your physical environment, and securing your technology.
6. I’m covered – we have an information security policy. A policy document is where most organizations have begun and ended their efforts to reduce identity theft risk and comply with the law. However, while a policy is a necessary evil, policy alone will not detect, prevent, or mitigate loss. It is necessary to assess risks specific to your organization and put prevention measures in place.
7. People’s information is already available – I don’t need to protect it. Most states now have laws requiring the notification of those whose information was lost or stolen. In the event of a breach: 31% percent of your affected customers will terminate their relationship; 57% percent will lose trust and confidence in the company; 8% will file formal complaints (lawyers); 72% said there is a great chance they will become victims of Identity Theft (Ponemon Institute Research Report, 2008).
8. It won’t happen to me – show me an organization my size that has had a breach. Several websites track information security breaches. The Privacy Rights Clearing House, www.privacyrights.org, is a good resource. As you peruse the list of unfortunate organizations, you may rationalize to yourself that they are too big, too small, wrong location, different industry, or different circumstances than your organization. Be careful! As long as an organization has information that is of value to a thief, a degree of risk exists.
9. The government isn’t enforcing these laws. Both federal and state legislation is becoming more stringent for organizations of all sizes. As new government initiatives always need to be funded, the fines and penalties that can be generated from these laws can be substantial. Incidentally, if organizations are ultimately not held to task by lawmakers, they should still take proper measures to protect information to mitigate loss from lawsuits and a damaged reputation.
10. Protecting my organization from information security incidents is expensive. Not taking PROPER measures to protect Confidential and Sensitive Information can be very expensive due to reputation damage, lawsuits, fines, penalties, and mitigation costs. A good comprehensive program includes education, risk assessment, policy, procedures, employee training, plan for loss or breach, resources, and continuing updates.
Most organizations manage some form of Confidential and Sensitive Information throughout the normal course of doing business. It is important to the health of your organization to understand what you have, how you are at risk, and put practical measure in place to protect yourself.
Frank R. Mitchell, CITRMS is an accomplished social engineer, consultant, and nationally recognized speaker on cybersecurity, identity theft, and fraud. He is a Compliance Officer and Cybersecurity-Identity Theft Prevention Consultant for Sigma Financial Corporation / Parkland Securities, LLC / Sigma Planning Corporation.